AWS IAM policies should not have administrative privileges attached

AWS-IAM-Policies-Admin-Privileges_Cloud-Security

AWS IAM is Identity & Access Management service that enables a user to control access to its AWS resources. Certain practices related to IAM policy privileges should be followed so that your cloud infrastructure does not get exposed to various security attacks.

What are administrative privileges in AWS IAM policy?

AWS provisions the use of IAM policies which further allows you to grant only task-related permissions to different users across your cloud infrastructure depending upon the type of tasks assigned to them. IAM policies can be assigned to different entities such as users, groups or roles. Administrative privileges given in IAM policies means that the user assigned to the policy can perform any activity in the entire cloud infrastructure and has unrestricted access to the AWS resources.

Restricting admin privileges to just any user:

It is recommended that you should not grant administrative privileges in any IAM policy to just any user. Therefore, policies should be made and only a certain set of permissions that are required to complete the given task should be assigned to the users.

Centilytics has a dedicated insight which checks and gives warnings to the user whenever an AWS IAM policy with administrative privilege is detected.

Insight Description:

There can be 2 possible scenarios:

Severity Description
OK This indication will be displayed when the customer managed policy does not have administrative privileges attached to it.
CRITICAL This indication will be displayed when the customer managed policy has administrative privileges attached to it.

  

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.AWS IAM 1
  2. Account Name: This column shows the account name of the user’s account.AWS IAM 4
  3. Identifier: This column shows the unique ARN (Amazon Resource Number) of your AWS account.AWS IAM 3
  4. Policy Name: This column shows the name of the corresponding IAM policy.AWS IAM 5
  5. Version Id: This column shows the version id of your IAM policies.AWS IAM 7

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Compliance Applying the compliance filter will display only those security checks which fall under the selected compliance.
Severity Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Compliances Covered:

Compliance Name Reference No. Link
PCI 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4,7. https://docs.aws.amazon.com/quickstart/
latest/compliance-pci/welcome.html
HIPAA 164.308(a)(4)(i) https://aws.amazon.com/quickstart/
architecture/compliance-hipaa/
ISO 27001 A.9.1.2

 

https://www.iso.org/standard/54534.html
GDPR Article 25 https://gdpr-info.eu/
NIST 800-53 AC-5, AC-6, CM-7 https://docs.aws.amazon.com/quickstart/
latest/compliance-nist/welcome.html
CIS 1.1.0 https://d0.awsstatic.com/
whitepapers/compliance/
AWS_CIS_Foundations_Benchmark.pdf

 

Read more about AWS IAM and its policies.

LEAVE A REPLY

Please enter your comment!
Please enter your name here